I agree, but revealing the salt or not revealing the salt is not as security relevant. > -----Original Message----- > From: x500standard-bounce@xxxxxxxxxxxxx > [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of David Wilson > Sent: Wednesday, September 23, 2009 4:16 PM > To: x500standard@xxxxxxxxxxxxx > Subject: [x500standard] Re: New draft on password policy > > On Wed, 2009-09-23 at 16:06 -0400, Santosh Chokhani wrote: > > I think I am digressing, but when you encrypt, you do not > need the key > > necessarily since both the data and key can be password > (the way Unix > > used to do, and may be still does). > > > That is OK if the server has the plain text password, as the > server can get the salt, and then hash the password it has > with the salt found, to see if the result is the same as was > passed. However, this has the disadvantages I outlined. > > ----- > www.x500standard.com: The central source for information on > the X.500 Directory Standard. > > ----- www.x500standard.com: The central source for information on the X.500 Directory Standard.